• Linus Torvalds's avatar
    Make file credentials available to the seqfile interfaces · 14ae9c4b
    Linus Torvalds authored
    commit 34dbbcdb upstream.
    A lot of seqfile users seem to be using things like %pK that uses the
    credentials of the current process, but that is actually completely
    wrong for filesystem interfaces.
    The unix semantics for permission checking files is to check permissions
    at _open_ time, not at read or write time, and that is not just a small
    detail: passing off stdin/stdout/stderr to a suid application and making
    the actual IO happen in privileged context is a classic exploit
    So if we want to be able to look at permissions at read time, we need to
    use the file open credentials, not the current ones.  Normal file
    accesses can just use "f_cred" (or any of the helper functions that do
    that, like file_ns_capable()), but the seqfile interfaces do not have
    any such options.
    It turns out that seq_file _does_ save away the user_ns information of
    the file, though.  Since user_ns is just part of the full credential
    information, replace that special case with saving off the cred pointer
    instead, and suddenly seq_file has all the permission information it
    [sumits: this is used in Ubuntu as a fix for CVE-2015-8944]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarSumit Semwal <sumit.semwal@linaro.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
seq_file.c 22.5 KB